Solved: Field Alias: Created multiple but only a few showi...

adalbor · ‎01-21-2020

Hey All,

I created multiple field aliases for multiple sourcetypes and for each sourcetype I am only seeing a few of each created field aliases in my search results.

I checked all my search heads and they all have the aliases in their props.conf (created via GUI) and they all have global permissions.

Is there anything else I can check to see why this might be occurring?

For example:
Here is the stanza in props.conf for one of them
[WinEventLog]
FIELDALIAS-sn_ms_def_compname = ComputerName ASNEW sn_ms_def_compname
FIELDALIAS-sn_ms_def_detectsrc = Detection_Source ASNEW sn_ms_def_detectsrc
FIELDALIAS-sn_ms_def_evtcd = EventCode ASNEW sn_ms_def_evtcd
FIELDALIAS-sn_ms_def_message = EventDescription ASNEW sn_ms_def_message

In search the only field alias not showing up is the sn_ms_def_message

I have multiple other stanzas with the same behavior, some but not all of the field aliases will be in the search results.

adalbor · ‎01-30-2020

I figured the issue out. The non-working aliases were having search order preference issues.
I created the non-working aliases in the local folders of each respective app and that fixed the issue.

View solution in original post

adalbor · ‎01-30-2020

I figured the issue out. The non-working aliases were having search order preference issues.
I created the non-working aliases in the local folders of each respective app and that fixed the issue.

Field Alias: Created multiple but only a few showing up

alias

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?